Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 11:19
Static task
static1
Behavioral task
behavioral1
Sample
CMR-7146846_PDF.pif.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
CMR-7146846_PDF.pif.exe
Resource
win10-en-20210920
General
-
Target
CMR-7146846_PDF.pif.exe
-
Size
310KB
-
MD5
71028a6ec414b1642243aa4981a3365f
-
SHA1
630b016a94f7bee220565d3b9a55a2ae8ef73c5a
-
SHA256
167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918
-
SHA512
4c403091f4839867d7465e437f30eb3648a114ebf1e16cadbcd4a232f2c9b75fac1ef4d9b7081314eeabb33eb9579ce39373385f122c3104e7a7815c007b790a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.globalmedical.nl - Port:
587 - Username:
vic@globalmedical.nl - Password:
W3oxtsMvzRhJV&eBZoFabwZV
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1612-63-0x000000000040188B-mapping.dmp family_agenttesla behavioral1/memory/1612-65-0x0000000001E90000-0x0000000001EC7000-memory.dmp family_agenttesla behavioral1/memory/1612-67-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
CMR-7146846_PDF.pif.exepid process 1032 CMR-7146846_PDF.pif.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CMR-7146846_PDF.pif.exedescription pid process target process PID 1032 set thread context of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CMR-7146846_PDF.pif.exepid process 1612 CMR-7146846_PDF.pif.exe 1612 CMR-7146846_PDF.pif.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CMR-7146846_PDF.pif.exepid process 1612 CMR-7146846_PDF.pif.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CMR-7146846_PDF.pif.exedescription pid process Token: SeDebugPrivilege 1612 CMR-7146846_PDF.pif.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
CMR-7146846_PDF.pif.exedescription pid process target process PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 1032 wrote to memory of 1612 1032 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsk45F5.tmp\agyko.dllMD5
7dc59f4707dae01d8bc589b5764fbd65
SHA153397fb4fce54937bf30764283934b6573fd63a9
SHA256d8f687ba9eea4e69aeaad9cccafd1ecc9be0b1b09c88ab8a4b5728aba666c903
SHA512f89321e0382ab5ca457f040a3f4d887cae047a5ca00efce4d8a6334e307b07d130788116c30bbd22ca94739fff17e19b2c221958f013de32eac4da86cbfc680e
-
memory/1032-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1612-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1612-63-0x000000000040188B-mapping.dmp
-
memory/1612-65-0x0000000001E90000-0x0000000001EC7000-memory.dmpFilesize
220KB
-
memory/1612-68-0x00000000046D1000-0x00000000046D2000-memory.dmpFilesize
4KB
-
memory/1612-67-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1612-69-0x00000000046D2000-0x00000000046D3000-memory.dmpFilesize
4KB
-
memory/1612-70-0x00000000046D3000-0x00000000046D4000-memory.dmpFilesize
4KB
-
memory/1612-71-0x00000000046D4000-0x00000000046D5000-memory.dmpFilesize
4KB